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Abstract. We define five increasingly comprehensive classes of infinite-state systems, called STSl-5, 
whose state spaces have finitary structure. For four of these classes, we provide examples from hybrid 
systems. 

STSl These are the systems with finite bisimilarity quotients. They can be analyzed symbolically 
by (1) iterating the predecessor and boolean operations starting from a finite set of observable state 
sets, and (2) terminating when no new state sets are generated. This enables model checking of the 
/i-calculus. 

STS2 These are the systems with finite similarity quotients. They can be analyzed symbolically by 
iterating the predecessor and positive boolean operations. This enables model checking of the existential 
and universal fragments of the /i-calculus. 

STS3 These are the systems with finite trace- equivalence quotients. They can be analyzed symbolically 
by iterating the predecessor operation and a restricted form of positive boolean operations (intersection 
is restricted to intersection with observables) . This enables model checking of linear temporal logic. 

STS4 These are the systems with finite distance- equivalence quotients (two states are equivalent if 
for every distance d, the same observables can be reached in d transitions). The systems in this class 
can be analyzed symbolically by iterating the predecessor operation and terminating when no new 
state sets are generated. This enables model checking of the existential conjunction-free and universal 
disjunction-free fragments of the /i-calculus. 

STS5 These are the systems with finite bounded-reachability quotients (two states are equivalent if for 
every distance d, the same observables can be reached in d or fewer transitions). The systems in this 
class can be analyzed symbolically by iterating the predecessor operation and terminating when no new 
states are encountered. This enables model checking of reachability properties. 



Introduction 

To explore the state space of an infinite-state transition system, it is often convenient to compute on a data 
type called "region," whose members represent (possibly infinite) sets of states. Regions might be imple- 
mented, for example, as constraints on the integers or reals. We say that a transition system is "symbolic" if 
it comes equipped with an algebra of regions which permits the effective computation of certain operations 
on regions. For model checking, we are particularly interested in boolean operations on regions as well as 
the predecessor operation, which, given a target region, computes the region of all states with successors in 
the target region. While a region algebra supports individual operations on regions, the iteration of these 
operations may generate an infinite number of distinct regions. In this paper, we study restricted classes 
of symbolic transition systems for which certain forms of iteration, if terminated after a finite number of 
operations, still yield sufficient information for checking interesting, unbounded temporal properties of the 
system. 

* This research was supported in part by the DARPA (NASA) grant NAG2-1214, the DARPA (Wright-Patterson 
AFB) grant F33615-C-98-3614, the MARCO grant 98-DT-660, the ARO MURI grant D A AH-04-96- 1-0341, the 
NSF CAREER award CCR-95Q17Q8, and the Belgian National Fund for Scientific Research (FNRS). 



0.1 Symbolic Transition Systems 



Definition: Symbolic transition system A symbolic transition system S — {Q, S, R, P) consists of 
a (possibly infinite) set Q of states, a (possibly nondeterministic) transition function 5 : Q — > 2*^ which 
maps each state to a set of successor states, a (possibly infinite) set R of regions, an extension function 
i? 2^ which maps each region to a set of contained states, and a finite set P C i? of observables, such 
that the following six conditions are satisfied: 

1. The set P of observables covers the state space Q; that is, IJ{'~P^ I P ^ P} — Q- Moreover, for each 
observable p G P, there is a complementary observable p £ P such that '"p"' — Q \ ^p^. 

2. For each region a £ R, there is a region Pre{a) G R such that 

^Pre{ay = {u e Q \ (Bv e S{u) : v e a)}; 

furthermore, the function Pre : P — > P is computable. 

3. For each pair cr, r S P of regions, there is a region And{a-,T) £ P such that '~ And{a,T)~' = '~a~' n '"r"'; 
furthermore, the function And : R x R R is computable. 

4. For each pair cr, r e P of regions, there is a region Dijf{a-,T) G P such that ^ DijJ [a , t)~^ = ^cr~'\^r~'; 
furthermore, the function Diff : R x R R is computable. 

5. All emptiness questions about regions can be decided; that is, there is a computable function Empty : 
P ^ B such that Empty (a) iff '"a"' = 0. 

6. All membership questions about regions can be decided; that is, there is a computable function Member: 
Q X R M such that Member{u, cr) iff m G ^cr~'. 

The tuple 7^5 = [P , Pre , And , Diff , Empty) is called the region algebra of S. □ 

Remark: Duality We take an existential view of symbolic transition systems. The dual, universal view 
requires (1) n{'~P~' \ P P} = (2~4) closure of P under computable functions Pre, And, and Diff such 
that 

^7V^(o-)^ = {u e g I (Vw e 5{u) : V e a)}. 



'~ And{a,T)~' ~ ^a~' U ^r"', and ^Diff{a,T)~' = Q\~ Dijf {t , a)'^ , and (5) a computable function Empty for 
deciding all universality questions about regions (that is. Empty {a) iff '"cr"' — Q). All results of this paper 
have an alternative, dual formulation. □ 

Remark: Abstract Interpreation The region algebra of a symbolic transition system may be viewed as 



the collecting semantics (in the sense of abstract interpretation |CC77]) of the concrete semantics of the 



transition system. In fact, in a symbolic transition system, the semantics is lifted from individual states 



to sets of states. We refer the interested reader to |CC77] for more details about collecting semantics and 



abstract interpretation. □ 



0.2 Example: Polyhedral Hybrid Automata 

A polyhedral hybrid automaton H of dimension m, for a positive integer m, consists of the following compo- 



nents |AHH96| 



Continuous variables A set AT = {xi , ■ ■ ■ , Xm} of real- valued variables. We write X for the set {xi , ■ ■ ■ , Xm} 
of dotted variables (which represent first derivatives during continuous change), and we write X' for the 
set , . . . , Xjj^ } of primed variables (which represent values at the conclusion of discrete change). A lin- 
ear constraint over X is an expression of the form kg ^ kixi + - ■ ■ + kmXm, where {<,<,=,>,>} and 
fco, . . . , km are integer constants. A linear predicate over A is a boolean combination of linear constraints 
over X. Let P™ be the set of linear predicates over X. 

Discrete locations A finite directed multigraph {V,E). The vertices in V are called locations; the edges 
in E are called jumps. 

Invariant and flow conditions Two vertex-labeling functions inv and flow. For each location v , the 
invariant condition inv{v) is a conjunction of linear constraints over X, and the flow condition flow{v) 
is a conjunction of linear constraints over X. While the automaton control resides in location v, the 
variables may evolve according to flow{v) as long as inv{v) remains true. 
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Update conditions An edge-labeling function update. For each jump e G E, the update condition update{e) 
is a conjunction of linear constraints over X U X' . The predicate update{e) relates the possible values 
of the variables at the beginning of the jump (represented by X) and at the conclusion of the jump 
(represented by X'). 



The polyhedral hybrid automaton H is a rectangular automaton | HKP VQSl if 



— all linear constraints that occur in invariant conditions of H have the form x ^ k, for x lE X and 
fc e Z; 

— all linear constraints that occur in flow conditions of H have the form i ~ fc, for x G X and fc G Z; 
— all linear constraints that occur in jump conditions of H have the form x ^ k or x' — x or x' ^ k, 
for x G X and £ Z; 

— if e is a jump from location v to location v', and update{e) contains the conjunct x' — x, then both 
flow{v) and flow{v') contain the same constraints on x. 

The rectangular automaton H is a singular automaton if each flow condition of H has the form xi 



fci A . . . A im = km- The singular automaton _ff is a timed automaton | AD94] if each flow condition of H has 
the form ii = 1 A . . . A Xm = 1- 

The polyhedral hybrid automaton H deflnes the symbolic transition system Sh — (Qh-,5h,Rh-,^-~^HtPh) 
with the following components: 

^ Qh — Vx M'"; that is, every state (w,x) consists of a location v (the discrete component of the state) 
and values x for the variables in X (the continuous component). 

— {v' G Sh{v,'x.) if either (1) there is a jump e G E from v to v' such that the closed predicate 
update{e)\X ^ X' := x,x'] is true, or (2) v' = v and there is a real A > and a differentiable function 
/ : [0, A] M™ with first derivative / such that /(O)^ = x and f{A) = x', and for aU reals e G (0, Z\), 
the closed predicates inv{v)[X := /(e)] and flow{v)[X := f{e)] are true. In case (2), the function / is 
called a flow function. 

— Rh = V X L™; that is, every region {v, cf)) consists of a location v (the discrete component of the region) 
and a linear predicate (jj over X (the continuous component). 

— '~{v,(f>)~'H = {(I'jX) I X G and (j>[X := x] is true}; that is, the extension function maps the continuous 
component of a region to the values for the variables in X which satisfy the predicate 4>. Consequently, 
the extension of every region consists of a location and a polyhedral subset of M™. 

— Ph = V X {true}; that is, only the discrete component of a state is observable. 

It requires some work to see that Sh is indeed a symbolic transition system. First, notice that the linear 
predicates over X are closed under all boolean operations, and that satisfiability is decidable for the linear 
predicates. Second, the Pre operator is computable on Rh, because all fiow functions can be replaced by 



straight fines |AHH96|. 



0.3 Background Definitions 

The symbolic transition systems are a special case of transition systems. A transition system S — (Q, (5, •, P) 
has the same components as a symbolic transition system, except that no regions are specified and the ex- 
tension function is defined only for the observables (that is, P 2^5). 

State equivalences A .state equivalence = is a family of relations which contains for each transition system 
S an equivalence relation =^ on the states of S. The = equivalence problem for a class C of transition 
systems asks, given two states u and w of a transition system S from the class C, whether u v. The state 
equivalence =a is as coarse as the state equivalence if u =f v implies u =f v for all transition systems S. 
The equivalence =a is coarser than =b if =a is as coarse as but =b is not as coarse as =a. Given a 
transition system S — (Q, (5, •, P) and a state equivalence =, the quotient system is the transition system 
S/^ = {Q/^, S/^, •, '"•"'/ Si, P) with the following components: 

— the states in 6/=^ are the equivalence classes of =5; 

— T G S/ ^{a) if there is a state u G a and a state v G t such that v G S{u)] 
— (T G '~p~'/= if there is a state u G a such that u G '~p~'. 
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The quotient construction is of particular interest to us when it transforms an infinite-state system S into a 
finite-state system S/ . 

State logics A state logic L is a logic whose formulas are interpreted over the states of transition systems; 
that is, for every L-formula (p and every transition system S, there is a set [(fls of states of S which satisfy (p. 
The L model- checking problem for a class C of transition systems asks, given an L-formula if and a state 
It of a transition system S from the class C, whether u £ Ifjs- Two formulas ip and ip of state logics are 
equivalent if [ipjs = iV'Js for all transition systems S. The state logic La is as expressive as the state logic Lj, 
if for every Lf,-formula (/?, there is an La-formula -0 which is equivalent to ip. The logic La is more expressive 
than Lb if La is as expressive as Lb, but Lb is not as expressive as La- Every state logic L induces a state 
equivalence, denoted =l' for all states u and w of a transition system S, define u =f v if for all L- formulas ip, 
we have u e lp>ls iff w G I<^]s- The state logic L admits abstraction if for every L-formula (p and every 
transition system S, we have {(pjs = [jW I ^ M^/^^ ^^^^ ^ state u of S satisfies an L-formula (p iff 
the =L equivalence class of u satisfies (p in the quotient system. Consequently, if L admits abstraction, then 
every L model-checking question on a transition system S can be reduced to an L model-checking question 
on the induced quotient system S/^^. Below, we shall repeatedly prove the L model-checking problem for 
a class C to be decidable by observing that for every transition system S from C, the quotient system S/g^j^ 
has finitely many states and can be constructed effectively. 

Symbolic semi-algorithms A symbolic semi- algorithm takes as input the region algebra TZs = {P, Pre, 
And, Diff , Empty) of a symbolic transition system S = {Q,S, R,'~-~', P), and generates regions in R using 
the operations P, Pre, And, Diff, and Empty. Depending on the input S, a symbolic semi-algorithm on S 
may or may not terminate. 



0.4 Preview 



In sections 1-5 of this paper, we shall define five increasingly comprehensive classes of symbolic transition 
systems. In each case i G {1, . . . ,5}, we will proceed in four steps: 

1 Definition: Finite characterization We give a state equivalence =i and define the class STS(j) to contain 
precisely the symbolic transition systems S for which the equivalence relation =f has finite index (i.e., there 
are finitely many =f equivalence classes). Each state equivalence =i is coarser than its predecessor =i_i, 
which implies that STS(i — 1) C STS(i) for i e {2, . . . , 5}. 

2 Algorithmics: Symbolic state-space exploration We give a symbolic semi-algorithm that terminates 
precisely on the symbolic transition systems in the class STS(z). This provides an operational characterization 
of the class STS(i) which is equivalent to the denotational definition of STS(i). Termination of the semi- 
algorithm is proved by observing that if given the region algebra of a symbolic transition system S as 
input, then the extensions of all regions generated by the semi-algorithm are =f blocks (i.e., unions of 
=f equivalence classes). If S is in the class STS(i), then there are only finitely many =f blocks, and the 
semi-algorithm terminates upon having constructed a representation of the quotient system S/^.. The semi- 
algorithm can therefore be used to decide all =i equivalence questions for the class STS(i). 

3 Verification: Decidable properties We give a state logic Li which admits abstraction and induces the 
state equivalence Since quotients can be constructed effectively, it follows that the Li model-checking 
problem for the class STS(i) is decidable. However, model-checking algorithms which rely on the explicit 
construction of quotient systems are usually impractical. Hence, we also give a symbolic semi-algorithm that 
terminates on the symbolic transition systems in the class STS(i) and directly decides all Li mo del- checking 
questions for this class. 

4 Example: Hybrid systems The interesting members of the class STS(i) are those with infinitely many 



states. In four out of the five cases, following [[Ien96|, we provide certain kinds of polyhedral hybrid automata 
as examples. 



4 



Symbolic semi-algorithm Closurel 

Input: a region algebra TZ — {P, Pre, And, Diff, Empty). 

To ~ P; 

for i = 0, 1,2, ... do 
:= Ti 

U {Pre{a) \a eT,} 
U {And{a,T) \a,T e Ti} 
U {Diffia,T)\a,reT} 
until ^T+i^ C rr,^. 



The termination test ''T+i^ C ''T^, which is shorthand for {'~a^ \ a G T-f-i} C 
{'~a^ I a G Ti}, is decided as follows: for each region a £ T+i check that there is 
a region t £ T such that both Empty {Diff {a, t)) and Empty{Diff{T,a)). 



Fig. 1. Partition refinement 



1 Class-1 Symbolic Transition Systems 

Class-1 systems are characterized by finite bisimilarity quotients. The region algebra of a class-1 system 
has a finite subalgebra that contains the observables and is closed under Pre, And, and Diff operations. 
This enables the model checking of all /i-calculus properties. Infinite-state examples of class-1 systems are 
provided by the singular hybrid automata. 



1.1 Finite Characterization: Bisimilarity 

Definition: Bisimilarity Let S — {Q, 6, ■, P) be a transition system. A binary relation ^ on the state 
space Q is a simulation on 5 if u ^ w implies the following two conditions: 

1. For each observable p G P, we have u G ^p~' iff u G ^p~'. 

2. For each state u' G S{u), there is a state v' G 6{v) such that u' ^ v' . 

Two states u,v Q are bisimilar, denoted u =f v, if there is a symmetric simulation ^ on 5 such that 
u <v. The state equivalence =i is called bisimilarity. □ 

Definition: Class STSl A symbolic transition system S belongs to the class STSl if the bisimilarity relation 
=? has finite index. □ 



1.2 Symbolic State-space Exploration: Partition Refinement 



The bisimilarity relation of a finite-state system can be computed by partition refinement | KS9C | . The sym- 
bolic semi-algorithm Closurel of Figure ^ applies this method to infinite-state systems | BFH90| ,Hen95|. Sup- 



pose that the input given to Closurel is the region algebra of a symbolic transition system S = [Q, 5, R, P). 
Then each Ti, for i > 0, is a finite set of regions; that is, Ti C R. By induction it is easy to check that for all 
I > 0, the extension of every region in Ti is a =f block. Thus, if =f has finite index, then Closurel termi- 
nates. Conversely, suppose that Closurel terminates with '"T^+i"' C '"T^"'. From the definition of bisimilarity 
it follows that if for each region a € Ti, we have s G '"cr"' iff t G '"cr"', then u =f v. This implies that =f has 
finite index. 

Theorem lA For all symbolic transition systems S, the symbolic semi- algorithm Closurel terminates on 
the region algebra TZs iff S belongs to the class STSl. 

Corollary lA The =i (bisimilarity) equivalence problem is decidable for the class STSl of symbolic transi- 
tion .systems. 
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1.3 Decidable Properties: Branching Time 

Definition: /i-calculus The formulas of the ^-calculus are generated by the grammar 

tp -.-.^ p \p \ X \ (fW If \ If Alp \ 30 LP \ VO f I if^x: p) \ {vx: p), 

for constants p from some set 77, and variables x from some set X. Let S = (Q, 6, •, P) be a transition 
system whose observables include all constants; that is, U C P. Let f : X — > 2*5 be a mapping from the 
variables to sets of states. We write £[x t—^ p] for the mapping that agrees with £ on all variables, except 
that a; G X is mapped to p C Q. Given S and £, every formula p of the /^.-calculus defines a set Iv^ls.e ^ Q 
of states: 

lxls,£ = 

bi{)(}'^2]5,£ = lvih,£ in} h-^js.s; 

I{v}0^]5,£ - {ueQ\i{l}veSiu):veMs.£)h 
l{^^}x:ph,£ = {':]}{p^Q\p=Ms,£l.^p]}- 

If we restrict ourselves to the closed formulas of the /i-calculus, then we obtain a state logic, denoted L^: 
the state u £ Q satisfies the L^'-formula p if u IpIs,£ for any variable mapping £; that is, {pjs = [<<5]5,£ 
for any £. □ 

Remark: Duality For every T^^-formula Lp, the dual L^-formula Ip is obtained by replacing the constructors 
p, p, V, A, EQ, VQ, and by p, p, A, V, NtQi 33, i/, and /i, respectively. Then, fipls = QVIvl-s- It follows 
that the answer of the model-checking question for a state u G Q and an 7^^-formula p is complementary to 
the answer of the model-checking question for u and the dual formula Tp. □ 



The following facts about the /i-calculus are relevant in our context [AH98|. First, admits abstraction, 
and the state equivalence induced by is =i (bisimilarity). Second, L'^ is very expressive; in particular, 
is more expressive than the temporal logics Ctl* and Ctl, which also induce bisimilarity. Third, the 
definition of naturally suggests a model-checking method for finite-state systems, where each fixpoint can 
be computed by successive approximation. The symbolic semi-algorithm ModelCheck of Figure^ applies this 
method to infinite-state systems. 

Suppose that the input given to ModelCheck is the region algebra of a symbolic transition system S = 
{Q, S, R, P), a /i-calculus formula p, and any mapping E : X ^ 2^ from the variables to sets of regions. 
Then for each recursive call of ModelCheck, each Ti, for i > 0, is a finite set of regions from 7?, and each 
recursive call returns a finite set of regions from 7?. It is easy to check that all of these regions are also 
generated by the semi-algorithm Closurel on input TZg. Thus, if Closurel terminates, then so does ModelCheck. 
Furthermore, if it terminates, then ModelCheck returns a set [p]e C 7? of regions such that I ^ ^ 

[vIe} = Iv'ls.f; where £{x) = [J{'~o-^ \ cr G E{x)} for all x £ X. In particular, if p is closed, then a state 
u E Q satisfies p iff Member{u, cr) for some region a G [p\e- 

Theorem IB. For all symbolic transition systems S in STSl and every L'^ -formula p, the symbolic semi- 
algorithm ModelCheck terminates on the region algebra TZg and the input formula p. 

Corollary IB The L'^ model- checking problem is decidable for the class STSl of symbolic transition systems. 

Remark: Duality Model checking of L^'-formulas on STSl systems can also be performed by the dual of 
the semi-algorithm ModelCheck. Suppose that the input given to the dual semi-algorithm ModelCheck is the 
dual region algebra of a symbolic transition system S ~ {Q, S, R, P), and the Lj'-formula p. If S belongs 
to the class STSl, then ModelCheck terminates with the output T C R such that Ipjs — C\{^o'~' I f G T}. □ 

Counterexample The converse of Theorem IB does not hold: there exist symbolic transition systems S 
such that for every Lj-forniula p, the symbolic semi-algorithm Model Check terminates on the region algebra 
7^5 and p, and yet S is not in STSl. Indeed, the example of Figure ^ shows a symbolic transition system 
for which ModelCheck terminates for every formula p of i^, but iteration of Pre does not terminate. In fact, 
this is true for every transition system whose transition relation is transitive. □ 
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Symbolic semi-algorithm ModelCheck 

Input: a region algebra TZ = {P, Pre, And, DijJ , Empty), a formula G 
I/^, and a mapping E with domain X. 

Output: [(p]e ■ — 

if ip = p then return {p}; 
if If = p then return {Diff(q,p) | q G P}; 
if ip — {(pi V (P2) then return [ipi]E U [(P2]e; 
if ip = [ipi A (P2) then 

return {And{a,T) \ a G [fi]E and r G [v'2]£;}; 
if <p = 30 v' then return {Pre{a) \ a G [(^'Jb}; 
if ((3 = VO <<5' then return P\\{Pre{a) \ a G (P\\[((9']b)}; 
if If — {fix : If') then 

To ~ 0; 

for i = 0, 1,2, ... do 
Ti+i := [f']E[x^T,] 

until U{^cr^ I cr G T,+i} C \J{ra^ \ a G T,}; 
return T";; 
if (/3 = (i/x : (f') then 
To ■- P; 

for i = 0, 1,2, ... do 

Ti+l ■— [lf']E[x>^Ti] 

until U{^cr^ I cr G T,+i} D (Jl^c^^ I £ T,}; 
return T^. 

The pairwise- difference operation T\\T' between two finite sets T and T' of regions 
is computed inductively as follows: 

T\\0 = T; 

T\\({r} U T') = r) | a G r}\\T'. 

The termination test U{^<^~' \ <^ & T} <Z U{^o-~' I o" G T'} is decided by checking 
that Empty{a) for each region a G (T\\r'). 

Fig. 2. Model checking 



1.4 Example: Singular Hybrid Automata 



The fundamental theorem of timed automata |AD94| shows that for every timed automaton, the (time- 



abstract) bisimilarity relation has finite index. The proof can be extended to the singular automata | ACH+95 



It follows that the symbolic semi-algorithm ModelCheck, which has been implemented for polyhedral hybrid 
automata in the tool HyTech [ HHWTQSt , decides all model-checking questions for singular automata. 
The singular automata form a maximal class of hybrid automata in STSl. This is because there is a 2D 



(two-dimensional) rectangular automaton whose bisimilarity relation is state equality |Hen95 



Theorem IC The singular automata belong to the class STSl. There is a 2D rectangular automaton that 
does not belong to STSl. 



1.5 Example: The 2-Process Bakery Protocol 



Consider the 2-process bakery protocol [Lam74| for mutual exclusion presented as a finite collection of 
guarded commands in Figure^. As presented, the protocol uses two variables (the "tokens") that range over 
the natural numbers. The state of the protocol is given by a 4-tuple {pci, pc2, 1/1,1/2) denoting the values 
of the program counters in the two processes, and the values of the tokens yi and j/2- The observables are 
boolean formulae over the values of the program counter. However, we can show that the bisimilarity relation 
of this transition system has finite index. Indeed, define the relation = between states of the protocol as u = w 
iff (1) u(pc,j) = v{pci) for i = 1, 2 (where u{x) denotes the valuation to variable x in state u); (2) u{i/i) = iff 
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Fig. 3. A symbolic transition system for which ModelCheck terminates for every Lp, while closure under Pre 
(and hence Closurel) does not. 





var pci , pc2 ■■ {N, W, C} 






var j/i , 2/2 : N 






1 PCl 


= N 


-* pci,yi ■- 


W,y2 + 1 


1 PCi 


= W A{y2 = 0Vyi <y2) 


^ pci := C 




1 PCi 


= C 


pci,yi ~ 


N,0 


1 PC2 


= N 


pc2,y2 ■- 


W,yi + 1 


1 PC2 


= WA(i/i = 0V?/2 <yi) 


PC2 ■— C 




1 PC2 


= C 


pc2,y2 ■- 


N,0 



Fig. 4. The 2-process bakery mutual exclusion algorithm 



v(yi) = for i = 1, 2; and (3) u{yi) < u{y2) iff v{yi) < v{y2). By a simple case enumeration, it can be seen 
that = is a bisimulation relation on the state space. Moreover, the relation has a finite index (the number 
of equivalence classes is 72). Thus, the 2-process bakery protocol is in STSl. By Theorem f A, the closure 
algorithm Closurel will terminate on the region algebra of the 2-process bakery mutual exclusion protocol. 

2 Class-2 Symbolic Transition Systems 

Class-2 systems are characterized by finite similarity quotients. The region algebra of a class-2 system has 
a finite subalgebra that contains the observables and is closed under Pre and And operations. This enables 
the model checking of all existential and universal /i-calculus properties. Infinite-state examples of class-2 
systems are provided by the 2D rectangular hybrid automata. 



2.1 Finite Characterization: Similarity 

Definition: Similarity Let 5 be a transition system. Two states u and v oi S are similar^ denoted u =f w, 
if there are simulations ^i, <2 on S such that u <i v and v ^2 u. The state equivalence =2 is called 
similarity. □ 

Definition: Class STS2 A symbolic transition system S belongs to the class STS2 if the similarity relation 
has finite index. □ 



Since similarity is coarser than bisimilarity |vG90|, the class STS2 of symbolic transition systems is a proper 
extension of STSl. 



2.2 Symbolic State-space Exploration: Intersection Refinement 

The symbolic semi-algorithm Closure2 of Figure ^is an abstract version of the method presented in [ HHK95| | 
for computing the similarity relation of an infinite-state system. Suppose that the input given to Closure2 is 
the region algebra of a symbolic transition system S — (Q, S, R, P). Given two states u,v € Q, we say 
that V simulates u ii u ^ v for some simulation ^ on S. For i > and m G Q, define 

Simi{u) = (^{'"c"' I CT e Ti and u G '"cr"'}. 
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Symbolic semi-algorithm Closure2 

Input: a region algebra TZ — {P, Pre, And, Diff, Empty). 

To ~ P; 

for i = 0, 1,2, ... do 
:= Ti 

U {Pre{a) \a eT,} 
U {And{a,T) \a,T e Ti} 
until ^T+i^ C rrr. 

The termination test '"T^+i"' C '~Ti~' is decided as in Figure 



Fig. 5. Intersection refinement 



where the set Ti of regions is computed by Closure2. By induction it is easy to check that for all i > 0, if u 
simulates u, then v e Sirriiiu). Thus, the extension of every region in Ti is a =f block, and if =f has finite 
index, then Closure2 terminates. Conversely, suppose that Closure2 terminates with '"T^+i"' C '"T^"'. From the 
definition of simulations it follows that if u £ Simi{u), then v simulates u. This implies that =f has finite 
index. 

Theorem 2 A For all symbolic transition systems S, the symbolic semi- algorithm Closure2 terminates on 
the region algebra TZg iff S belongs to the class STS2. 

Corollary 2A The ^2 (similarity) eguivalence problem is decidable for the class STS2 of symbolic transition 
systems. 



2.3 Decidable Properties: Negation-free Branching Time 

Definition: Negation-free /i-calculus The negation-free ji-calculus consists of the /i-calculus formulas 
that are generated by the grammar 

ip ::— p\x\ip\/if\ip/\if \ 30 V I (m^- ^) I {vx: ip), 

for constants p ^ 11 and variables x ^ X . The state logic consists of the closed formulas of the negation- 
free /i-calculus. The state logic consists of the duals of all L^-io^TcaxXas. □ 



The following facts about the negation-free /i-calculus and its dual are relevant in our context |1AH98[ . First, 



both L2 and L2 admit abstraction, and the state equivalence induced by both ^-i^d L2 is =2 (similarity). 
It follows that the logic with negation is more expressive than either L2 or L2 ■ Second, the negation- free 
logic L2 is more expressive than the existential fragments of Ctl* and Ctl, which also induce similarity, 
and the dual logic is more expressive than the universal fragments of Ctl* and Ctl, which again induce 
similarity. 

If we apply the symbolic semi-algorithm ModelCheck of Figure ^ to the region algebra of a symbolic transition 
system S and an input formula from , then the cases (p =p and f = VQ f' are never executed. It follows 
that all regions which are generated by ModelCheck are also generated by the semi-algorithm Closure2 on 
input TZs. Thus, if Closure2 terminates, then so does ModelCheck. 

Theorem 2B For all symbolic transition systems S in STS2 and every L2 -formula ip, the .symbolic semi- 
algorithm ModelCheck terminates on the region algebra TZg and the input formula ip. 

Corollary 2B The L2 and L2 model- checking problems are decidable for the class STS2 of symbolic transition 
systems. 
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2.4 Example: 2D Rectangular Hybrid Automata 



For every 2D rectangular automaton, the (time- abstract) similarity relation has finite index | HHK95 |. It 
follows that the symbolic semi-algorithm ModelCheck, as implemented in HyTech, decides all L2 and L2 
model-checking questions for 2D rectangular automata. The 2D rectangular automata form a maximal class 
of hybrid autom ata in S TS2. This is because there is a 3D rectangular automaton whose similarity relation 
is state equality |HK9£]. 



Theorem 2C The 2D rectangular automata belong to the class STS2. 
that does not belong to STS2. 



There is a 3D rectangular automaton 



3 Class-3 Symbolic Transition Systems 

Class-3 systems are characterized by finite trace-equivalence quotients. The region algebra of a class-3 system 
has a finite subalgebra that contains the observables and is closed under Pre operations and those And 
operations for which one of the two arguments is an observable. This enables the model checking of all 
linear temporal properties. Infinite-state examples of class-3 systems are provided by the rectangular hybrid 
automata. 



3.1 Finite Characterization: Traces 

Definition: Trace equivalence Let S = (Q, 5, P) be a transition system. Given a state uq € Q, a. 
source-uo trace tt of 5 is a finite or infinite sequence popi ... of observables pi € P such that 

1. Mo e '"po^; 

2. for all < i, there is a state Ui+i e {d{ui) n '~pi+i^). 

If the trace is a finite sequence poPi . . .pm the number n of observables (minus 1) is called the length of the 
trace tt, the final state u„ is the sink of tt, and the final observable p„ is the target of tt. The length of an 
infinite trace is infinity. Two states u,v € Q are trace equivalent, denoted u =f v, if every source-w trace of 
5 is a source-w trace of S, and vice versa. The state equivalence =3 is called trace equivalence. Two states 
u,v G Q are finite trace equivalent, denoted u =fy v, if every finite source-u trace of 5 is a source-w trace 
of iS, and vice versa. The state equivalence =3/ is called finite trace equivalence. □ 

Definition: Class STS3 A symbolic transition system S belongs to the class STS3 if the trace-equivalence 
relation =f has finite index. □ 



Since trace equivalence is coarser than similarity [i^G90|, the class STS3 of symbolic transition systems is a 
proper extension of STS2. 



3.2 Symbolic State-space Exploration: Observation Refinement 

Trace equivalence can be characterized operationally by the symbolic semi-algorithm ClosureS of Figure |. We 
shall show that, when the input is the region algebra of a symbolic transition system S = {Q, S, R, P), then 
Closures terminates iff the trace-equivalence relation =f has finite index. Furthermore, upon termination, 
u = f V iff for each region a £ Ti, we have u € '~cr^ iff u G '~a~'. 

Theorem 3 A For all symbolic transition systems S, the symbolic semi- algorithm ClosureS terminates on 
the region algebra TZg iff S belongs to the class STS3. 

Proof We proceed in two steps. First, we show that ClosureS terminates on the region algebra TZg iff the 
equivalence relation =^,1 induced by the deterministic /i-calculus (defined below) has finite index. Second, 
we show that coincides with trace equivalence. The proof of the first part proceeds as usual. It can be 
seen by induction that for all i > 0, the extension of every region in Ti, as computed by ClosureS, is a 
block. Thus, if has finite index, then ClosureS terminates. Conversely, suppose that ClosureS terminates 
with Ti+i^ C T/'^. It can be shown that if two states are not ='^m -equivalent, then there is a region in Ti 
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Symbolic semi-algorithm Closures 

Input: a region algebra TZ — {P, Pre, And, Diff, Empty). 

To ~ P; 

for i = 0, 1,2, ... do 
:= Ti 

U {Pre(a) | a G T,} 
U {And{a,p) \ a eTi and p e P} 
until ^r,+r C ^T,^. 

The termination test '~Ti+i~' C '~Ti~' is decided as in Figure 



Fig. 6. Observation refinement 



which contains one state but not the other. It follows that if for each region a ^ Ti, we have u £ '~a~' iff 
V £ '~cr~', then M=fnU. This implies that =fn has finite index. 

For the second part, we show that is as expressive as the logic 3BuCHi, whose formulas are the exis tentially 
interpreted Biichi automata, and 3BuCHi is as expressive as Lg . This result is implicit in a proof by | EJS93 |. 



We recall a few definitions. A Biichi automaton BiiCHi is a tuple {S, <P, sq, F), where 5 is a finite set of 
states, <P is a. finite input alphabet, -^C5x<?xS'is the transition relation, sq E S is the start state, and 
C S* is the set of Biichi accepting states. An execution of BuCHi on an w-word w = wqWi . . . € <P'^ is an 
infinite sequence r — sqSi ... of states in S, starting from the initial state sq, such that s^— >Si+i for all i > 0. 
The execution r is accepting if some state in F occurs infinitely often in r. The automaton BiicHi accepts the 
word w if it has an accepting execution on w. The language i(BuCHi) C <P'^ is the set of cj-words accepted 
by BiiCHi. 

The proof is based on the following constructions. By induction on the structure of an ig-formula ip, we 
can construct a Biichi automaton such that for all transition systems S, a state u of 5 satisfies ip iff for 
some infinite source-w trace of S is accepted by B^. Conversely, given a Biichi automaton B, we construct 
an ig-formula which is equivalent to 3B. Let BiiCHi be a Biichi automaton. For notational convenience, we 



present the formula in equational form | CKS93 1 ; it can be easily converted to the standard representation by 
unrolling the equations, and binding variables with /i or i^-fixpoints. For each set i? e 2^, let ipji abbreviate 
the formula /\R A /\{p \ p £ P\R}- For each state s of BiiCHi, we introduce a propositional variable Xg. 
The equation for Xs is 

where A = if s G F is an accepting state, and A = /i otherwis e. The top-level variable is Xgg , where sq is 



the initial state. The correctness of the procedure follows from BC96 |. An equivalent construction is given 



in |Dam94 | 



Since the state equivalence induced by 3BuCHi is trace equivalence, it follows that =^1^ is also trace 
equivalence. □ 

Corollary 3 A The =3 (trace) equivalence problem is decidable for the class STS3 of symbolic transition 
systems. 



3.3 Decidable Properties: Linear Time 



Definition: Deterministic /i-calculus The deterministic ^.-calculus (also called "Li" in [ EJS93 |) consists 
of the /i-calculus formulas that are generated by the grammar 



p\x\Lp\/ ip\p Aip\30Lp\ (nx: (fi) I {ux: (p), 



for constants p G 77 and variables x G X. The state logic Lg consists of the closed formulas of the deterministic 
/^-calculus. The state logic Lg consists of the duals of all Lg-formulas. □ 
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The following facts about the deterministic (U-calculus and its dual are relevant in our context (cf. the second 
part of the proof of Theorem 3A). First, both L3 and L3 admit abstraction, and the state equivalence induced 
by both L3 and is =3 (trace equivalence). It follows that the logic with unrestricted conjunction is 
more expressive than Lg , and L2 is more expressive than L3 . Second, the logic L3 with restricted conjunction 
is more expressive than the existential interpretation of the linear temporal logic Ltl, which also induces 
trace equivalence. For example, the existential Ltl formula 3(pUq) ("on some trace, p until q") is equivalent 
to the Lg-formula {fix : q V (p A 30 x)) (notice that one argument of the conjunction is a constant). The 
dual logic Lg is more expressive than the usual, universal interpretation of Ltl, which again induces trace 
equivalence. For example, the (universal) Ltl formula pWq ("on all traces, either p forever, or p until g") is 
equivalent to the Lg-formula {vx: p A \fQ {q\/ x)) (notice that one argument of the disjunction is a constant). 

If we apply the symbolic semi-algorithm ModelCheck of Figure || to the region algebra of a symbolic transition 
system S and an input formula from Lg, then all regions which are generated by ModelCheck are also 
generated by the semi-algorithm Closures on input 7^5. Thus, if Closures terminates, then so does ModelCheck. 

Theorem 3B For all symbolic transition systems S in STSS and every Li^ -formula ip, the symbolic semi- 
algorithm ModelCheck terminates on the region algebra TZs and the input formula ip. 

Corollary 3B The Lt^ and Lg model- checking problems are decidable for the class STSS of symbolic transition 
systems. 

Remark: Ltl model checking These results suggest, in particular, a symbolic procedure for model checking 
Ltl properties over STSS systems | HMOO| . Suppose that 5 is a symbolic transition system in the class STSS, 



and ip is an Ltl formula. First, convert -^ip to a Biichi automaton BUCHI-,,^ using a tableau construction, and 
then to an equivalent Lg-formula ijj (introduce one variable per state of BuCHi-,(p). Second, run the symbolic 
semi-algorithm ModelCheck on inputs TZg and ip. It will terminate with a representation of the complement 
of the set of states that satisfy ip in S. 

While ModelCheck provides a symbolic semi-algorithm for Ltl, traditionally, a different method is used 



for symbolic model checking of Ltl formulas |CGL94|. Given a state u of a finite-state transition structure 



S, and an Ltl formula ip, the model-checking question for Ltl can be solved by constructing the product 
of iS with the tableau automaton BiiCHi;^, and then checking the nonemptiness of a Biichi condition on 
the product structure. A Biichi condition is an Ltl formula of the form OC"ip^ where ip is a disjunction of 
observables; therefore nonemptiness can be checked symbolically by evaluating the equivalent formula 

X = J/Xi.M^2. (30^2V(V'A30^i)) 

To extend this method to infinite-state structures, we need to be more formal. Let S = (Q, S, R, P) 
be a symbolic transition system and let BiiCHi^ = (5, 2^, — >, sq, -F) be a tableau automaton. The product 
structure S^p — {S x Q,S^,S x i?, P^) is defined as follows. The set of states of Sip is the Cartesian 
product S X Q, and the set of regions of S^p is the Cartesian product S x R. The extension '~{sa)~'ip for 
the region (s, a) is the set of states {s} x '~a~'. The set of observables P^p is S x P, for an observable 
(s,p) G Pip, define (s',u) G '~(s,p)~'i^ iff s' = s and u e '~p~'; that is, the state of the tableau automaton is 
also observable. Define {s',v) G S,^{s,u) iff s s' and v £ S{u) and u £ '~p~'. Then u G {pjs, for u G Q, iff 
{so,u) G |nO?/;]5^, where ip — VseFpGP^^'P)- ^^^e the tableau automaton BUCHI^ is finite, it is easy to 
check that TZp, with the extension function '~-~'ip, is a region algebra for S^p. Let AutomLTL be the product- 
automaton based algorithm for Ltl model checking which, given an Ltl formula p and a symbolic transition 
system S, evaluates the Lg formula x (representing a Biichi condition) on the product system (using 
the semi-algorithm ModelCheck). It is not difficult to see that if observation refinement terminates on S in 
k steps, then it also terminates on Sp in k steps (if ClosureS generates m regions on S, then it generates at 
most m ■ \S\ regions on Spj. 

Corollary 3B' For all symbolic transition systems S in STSS, and every Ltl formula p, the symbolic 
semi-algorithm AutomLTL terminates on the region algebra TZs cind the input formula p. 
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Indeed, by induction on the construction of regions, one can show that for each region representative (s, a) 
computed in the product-automaton based algorithm, the variable in the /x-calculus based algorithm 
represents the region '~cr~' at some stage of the computation, and conversely, for each valuation R of the 
variable Xs in the /i-calculus based algorithm, a region representative of {s} x i? is computed in the product- 
automaton based algorithm. Thus, the two methods are equivalent in the regions they generate. □ 

Remark: Finite Trace Equivalence Let STS3f be the class of symbolic transition systems whose finite 
trace equivalence relation has finite index. 

Definition: Finitary Deterministic /i-calculus The finitary fragment of the deterministic //-calculus 
consists of the formulas of the deterministic /x-calculus without the greatest fixpoint operator. Formally, 
formulas are generated by the grammar 

(p p\x\(p\/ Lp\pA(p \ 30 ip \ {fix: (p), 

for constants p € U and variables x ^ X. The state logic Lt^j consists of the closed formulas of the finitary 
deterministic //-calculus. The state logic Lgj consists of the duals of all Lg^-formulas. □ 

From the proof of Theorem 3A, we notice that the finitary deterministic /i-calculus is equally expressive as 
the logic 3 A whose formulas are the existentially interpreted finite automata, in other words, Lt^j expresses 
exactly the regular sets. Thus the following corollary is immediate. 

Corollary SBFinite For all symbolic transition systems S in STSSf and every L^j.- -formula ip, the symbolic 
semi- algorithm ModelCheck terminates on the region algebra TZg and the input formula Lp. Hence, the L'^^ 
and Lg model- checking problems are decidable for the class STSSf of symbolic transition systems. 



3.4 Example: Rectangular Hybrid Automata 



For every rectangular automaton, the (time-abstract) trace-equivalence relation has finite index |HKPV98|. 
It follows that the symbolic semi-algorithm ModelCheck, as implemented in HyTech, decides all and 
ig model-checking questions for rectangular automata. The rectangular automata form a maximal class of 
hybrid automata in STS3. This is because for simple generalizations of rectangular automata, the reachability 
problem is undecidable |HKPV98|. 

Theorem 3C The rectangular automata belong to the class STS3. 



4 Class-4 Symbolic Transition Systems 

We define two states of a transition system to be "distance equivalent" if for every distance d, the same 
observables can be reached in d transitions. Class-4 systems are characterized by finite distance-equivalence 
quotients. The region algebra of a class-4 system has a finite subalgebra that contains the observables and is 
closed under Pre operations. This enables the model checking of all existential conjunction-free and universal 
disjunction-free /i-calculus properties, such as the property that an observable can be reached in an even 
number of transitions. 



4.1 Finite Characterization: Equi-distant Targets 

Definition: Distance equivalence Let 5 be a transition system. Two states u and u of 5 are distance 
equivalent, denoted u =f v, if for every source-u trace of S with length n and target p, there is a source-w 
trace of S with length n and target p, and vice versa. The state equivalence =4 is called distance equivalence. 

a 

Definition: Class STS4 A symbolic transition system S belongs to the class STS4 if the distance-equivalence 
relation =4 has finite index. □ 

Figure ^ shows that distance equivalence is coarser than trace equivalence (u and v are distance equivalent 
but not trace equivalent) . It follows that the class STS4 of symbolic transition systems is a proper extension 
of STS3. 
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Fig. 7. Distance equivalence is coarser than trace equivalence 



Symbolic semi-algorithm Closure4 

Input: a region algebra TZ — {P, Pre, ■, Dtff , Empty). 



To := P; 

for i = 0, 1,2, ... do 
Ti-f-i := Ti 

U {Pre{a) \ a e T,} 
until T^+i^ C rrr. 



The termination test '"Ti+i"' C '~Ti^ is decided as in Figure 



Fig. 8. Predecessor iteration 



4.2 Symbolic State-space Exploration: Predecessor Iteration 

The symbolic semi-algorithm Closure4 of Figure ^ computes the subalgebra of a region algebra 7^5 that 
contains the observables and is closed under the Pre operation. Suppose that the input given to Closure4 is 
the region algebra of a symbolic transition system S = {Q, S, R, P). For i > and u,v G Q, define u v 
if for every source-w trace of S with length n < i and target p, there is a source-?; trace of S with length 
n and target p, and vice versa. By induction it is easy to check that for all i > 0, the extension of every 
region in Ti, as computed by Closure4, is a block. Since is as coarse as for all i > 0, and =f is 
equal to Pll^f I * — 0}: if — f has finite index, then =f is equal to ~f for some i > 0. Then, Closure2 will 
terminate in i iterations. Conversely, suppose that Closure4 terminates with '"T^+i"' C '~Ti~'. In this case, if 
for all regions a G Ti, we have u G '~a~' iff u £ '"u"', then u =f v. This is because if u can reach an observable 
p in n transitions, but v cannot, then there is a region in Ti, namely, Pre"{p), such that u G ^ Pre'^{p)~^ and 
V ^ '~ Pre"' {p)~' . It follows that =4 has finite index. 

Theorem 4A For all symbolic transition systems S, the symbolic semi-algorithm Closure4 terminates on 
the region algebra TZg iff S belongs to the class STS4. 

Corollary 4A The =4 (distance) equivalence problem is decidable for the class STS4 of symbolic transition 
systems. 

4.3 Decidable Properties: Conjunction-free Linear Time 

Definition: Conjunction- free /i-calculus The conjunction-free ji-calculus consists of the /i-calculus for- 
mulas that are generated by the grammar 



for constants p G 11 and variables x G X . The state logic consists of the closed formulas of the conjunction- 



Definition: Conjunction-free temporal logic The formulas of the conjunction-free temporal logic L] 
are generated by the grammar 



p \ X \ ip V (p \ 3Q) (p \ [fix: (fi) 



free /x-calculus. The state logic L4 consists of the duals of all L^j'-formulas. 



□ 



p I ^V(^ I 30<^ I 30<d^ I 30^, 
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for constants p € 11 and nonnegative integers d. Let S = {Q,5, P) be a transition system whose 
observables include all constants; that is, U C P. The £4 -formula (p defines the set Ifjs ^ Q of satisfying 
states: 

Ms = 

PO v'ls = {ueQ\ i3v e : v e M^)}; 

pO<(; (pjg = {u G Q \ there is a source-u trace of 5 with 

length at most d and sink in [(^Js}; 
pO(^]5 = {it G Q I there is a source-u trace of S with sink in Iv^Jg}. 

(The constructor 30<d is definable from EQ and V; however, it will be essential in the EQ-free fragment of 
L4 we will consider below.) □ 

Remark: Duality For every L4 -formula (p, the dual formula^ is obtained by replacing the constructors p, V, 
30, 30<:d, and 30 hyp, A, VQi Vn<d, and VD, respectively. The semantics of the dual constructors is defined 
as usual, such that l^]^ = Q\|(y3]5. The state logic TJ consists of the duals of all L4 -formulas. It follows 
that the answer of the model-checking question for a state u G Q and an L4 -formula Tp is complementary to 
the answer of the model-checking question for u and the £4 -formula ip. □ 

The following facts about the conjunction-free /^-calculus, conjunction-free temporal logic, and their duals 
are relevant in our context. First, both L4 and L4 admit abstraction, and the state equivalence induced by 
both £4 and L4 is ^4 (distance equivalence). It follows that the logic with restricted conjunction is more 
expressive than L^, and L3 is more expressive than L4. Second, the conjunction-free /i-calculus L4 is more 
expressive than the conjunction- free temporal logic L4 , and L4 is more expressive than Tf, both of which 
also induce distance equivalence. For example, the property that an observable can be reached in an even 
number of transitions can be expressed in L4 but not in L4 . 

If we apply the symbolic semi-algorithm ModelCheck of Figure || to the region algebra of a symbolic transition 
system S and an input formula from L4, then all regions which are generated by ModelCheck are also 
generated by the semi-algorithm Closure4 on input TZg. Thus, if Closure4 terminates, then so does ModelCheck. 

Theorem 4B For all symbolic transition systems S in STS4 and every L'^-formula ip, the symbolic semi- 
algorithm ModelCheck terminates on the region algebra TZg cind the input formula ip. 

Corollary 4B The L4 and L4 model- checking problems are decidable for the class STS4 of symbolic transition 
systems. 



5 Class-5 Symbolic Transition Systems 

We define two states of a transition system to be "bounded-reach equivalent" if for every distance d, the same 
observables can be reached in d or fewer transitions. Class-5 systems are characterized by finite bounded- 
reach-equivalence quotients. Equivalently, for every observable p there is a finite bound Up such that all 
states that can reach p can do so in at most Up transitions. This enables the model checking of all reacha- 
bility and (by duality) invariance properties. The transition systems in class 5 have also been called "well- 
structured" | )ACJT96 |. Infinite-state examples of class-5 systems are provided by networks of rectangular 



hybrid automata. 



5.1 Finite Characterization: Bounded-distance Targets 

Definition: Bounded-reach equivalence Let 5 be a transition system. Two states u and u of 5 are 

bounded-reach eguivalent, denoted u =f v, if for every source-u trace of S with length n and target p, there 
is a source-u trace of S with length at most n and target p, and vice versa. The state equivalence =5 is called 
bounded-reach equivalence. □ 
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Fig. 9. Bounded-reach equivalence is coarser than distance equivalence 
Symbolic semi-algorithm Reach 

Input: a region algebra TZ = (P, Pre, And, Diff, Empty). 

for each p £ P do 

To ~ W; 

for i = 0, 1,2, ... do 

Ti+i := r« U {Pre{a) \a€Ti} 

until \J{^a^ I a G T.+i} C [j{^a^ \ a e T,} 

end. 

The termination test IJ{'~''"^ I £ Ti+i} ^ Ul'"''"^ I £ decided as in 

Figure || 

Fig. 10. Predecessor aggregation 



Definition: Class STS5 A symbolic transition system S belongs to the class STS5 if the bounded-reach- 
es 



equivalence relation =^ has finite index. □ 



Figure H shows that bounded-reach equivalence is coarser than distance equivalence (all states u.^, for i >0, 
are bounded-reach equivalent, but no two of them are distance equivalent). It follows that the class STS5 of 
symbolic transition systems is a proper extension of STS4. 

5.2 Symbolic State-space Exploration: Predecessor Aggregation 

The symbolic semi-algorithm Reach of Figure ^ starts from the observables and repeatedly applies the Pre 
operation, but its termination criterion is more easily met than the termination criterion of the semi-algorithm 
Closure4; that is. Reach may terminate on more inputs than Closure4. Indeed, we shall show that, when the 
input is the region algebra of a symbolic transition system S = {Q, S, R, P), then Reach terminates iff S 
belongs to the class STS5. Furthermore, upon termination, u v iff for each observation p £ P and each 
region a £ Tf , we have u £ ^cr"' iff w G '"ct"'. 



An alternative characterization of the class STS5 can be given using well-quasi-orders on states | ACJT96,FS98| 
A quasi-order on a set A is a reflexive and transitive binary relation on A. A well- quasi- order on A is a 
quasi-order :< on A such that for every infinite sequence Oq, ai, a2, . . . of elements a,; G A there exist indices 
i and j with i < j and ^ aj. A set B <Z A is upward-closed if for all 6 G -B and a G A, if 6 ^ a, 
then a G -B. It can be shown that if ^ is a well-quasi-order on A, then every infinite increasing sequence 
Bq C_ Bi <Z B2 ■ ■ ■ oi upward-closed sets Bi C A eventually stabilizes; that is, there exists an index i > 
such that Bj = Bi for all j > i. 

Theorem 5A. For all symbolic transition systems S, the following three conditions are equivalent: 

1. S belongs to the class STS5. 

2. The symbolic semi- algorithm Reach terminates on the region algebra TZs- 
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3. There is a well- quasi- order < on the states of S such that for all observations p and all nonnegative 
integers d, the set pO<(ip]s is upward- closed. 

Proof (2 ^ 1) Define u ~<„ v if for all observations p, for every source-M trace with length n and target p, 
there is a source-w trace with length at most n and target p, and vice versa. Note that has finite index 
for all n>Q. Suppose that the semi-algorithm Reach terminates in at most i iterations for each observation p. 
Then for all n > i, the equivalence relation is equal to '-~^<j. Since =f is equal to n{'^<nl " — ^Ij 
has finite index. 

(1^3) Define the quasi-order u v if for all observables p and all n > 0, for every source-u trace with 
length n and target p, there is a source-w trace with length at most n and target p. Then each set |30<dp]5, 
for an observable p and a nonnegative integer d, is upward-closed with respect to . Furthermore, if =f has 
finite index, then is a well-quasi-order. This is because u =f v implies u v: if there were an infinite 
sequence wq, wi, U2, • • ■ of states such that for alH > and j < i, we have Uj Ui, then no two of these 
states would be =f equivalent. 



(3 ^ 2) This part of the proof follows immediately from the stabilization property of well-quasi-orders | ACJT9E 



□ 

5.3 Decidable Properties: Bounded Reachability 

Definition: Bounded-reachability logic The bounded-reachability logic consists of the -L4 -formulas 
that are generated by the grammar 

ip p\ipy ip\ 30<d (fi I 30(p, 

for constants p e 77 and nonnegative integers d. The state logic 'Zf consists of the duals of all L5 -formulas. 

□ 

The following facts about bounded-reachability logic and its dual are relevant in our context. Both Lg and 'Zf 
admit abstraction, and the state equivalence induced by both and Tf is =5 (bounded- reach equivalence). 
It follows that the conjunction- free temporal logic L4 is more expressive than L^, and Tf is more expressive 
than Z/5 . For example, the property that an observable can be reached in exactly d transitions can be 
expressed in Lf but not in . Since L5 admits abstraction, and for STS5 systems the induced quotient 
can be constructed using the symbolic semi-algorithm Reach, we have the following theorem. 

Theorem 5B The Lf and model- checking problems are decidable for the class STS5 of symbolic transition 
systems. 

A direct symbolic model-checking semi-algorithm for L'^ and, indeed, Lf is easily derived from the semi- 
algorithm Reach. Then, if Reach terminates, so does model checking for all ^4 -formulas, including unbounded 
30 properties. The extension toL? is possible, because properties pose no threat to termination. However 



this is not true for L'^: Figure 5.3 shows a symbolic transition system in the class STS5 for which the naive 



evaluation of the formula (/ix : p V 3Qi 3Qi x) does not terminate. We now show that this is not suprising 
as L4 is undecidable on STS5 systems. To establish this result, we proceed as follows: given a two-counter 
machine M = ({61, • • ■ , 6™}, C, Z?), we define a symbolic transition system Sm that belongs to the class 
STS5 and that encodes the computations of AI using Pre^ . On such a structure we prove that the formula 
{fix : Final V 30 30 ^) characterizes exactly the set of configurations of the two-counter machine that can 
reach a final location. This will establish the undecidability of £4 on STS5 systems. 

Without lost of generality, we make the following hypothesis on the two-counter machine M: there is only 
one initial location and only one final location in M , we denote them &o f^nd bm respectively. Furthermore, the 
initial location of M is never reached after the first instruction. A configuration of M is a triple 7 = {i,c,d), 
where i is the program counter indicating the current instruction, and c and d are the values of the counters 
C and D. A computation of M is a finite or infinite sequence a = 7071 ... of configurations such that for every 
7i+i is a M-successor of In the sequel, we write (7^, 7^+1) £ Rm to denote that 7^+1 is a M-successor of 7^. 
We say that a computation a is initial if 70 = (0, 0, 0), that is the first instruction is the initial instruction and 
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Fig. 11. An STS5 system on which L4 does not terminate 



the two counters have the value 0. We say that a computation a is final if a is finite and its last configuration 
contains the stop instruction. The halting problem for a two-counter machine M is to decide whether or not 
the execution of M has at least one initial computation that ends in a stop instruction. The problem of 
deciding if a two-counter machine has a halting computation is undecidable [|HU79 |. 

We define the transition system Sm that encodes the computations of M using Pre^ as follows. 

— The states of the transition system are pairs (7, i) where 7 is a configuration of M and i S {1,2}. We call 
(7, 1) the copy-1 of configuration 7, and (7,2) the copy-2 of configuration 7. Formally the set of states 
Q is the union I U B U F, where : (i) / = {((0, 0, 0), 1)}, that is, the singleton containing the copy-1 of 
the initial configuration of M; (ii) B = {((0, 0, 0), 2)} U {{{b,c,d),i) \ b ^ A b ^ m A c,d > 0}, that 
is, the set containing the copy-2 of the initial configuration of M and two copies of each configuration 
of M which is not initial and not final; (iii) F = {{{b, c, d) , 1) \ b = m A c, d > 0}, that is the copy-1 of 
each final configurations of M. 

— The transition relation S is defined as follows: for every (71, ii), (72, ^2) € Q, we have that (72,^2) G 
(5(7i, ii) if and only if one of the following conditions is satisfied : (i) (71, «i) G ILIB A ii = 1 A (72, i2) € F, 
that is every copy-1 of a configuration which is not final is linked to every final configuration; (ii) 
71 = 72 A ii = 1 A 12 = 2 A (71, ii) G -B U J, that is every copy-1 of a configuration 7 is hnked to the 
copy-2 of 7; (iii) (71,11) G S A ii = 2 A (72,^2) e-BUFAi2 = lA (71,72) G Rm, that is the copy-2 
of a configuration 71 is linked to the copy-1 of a configuration 72 if 72 is a Af-successor of 71. 

— The set of regions R is the set of sets of states definable by Presburger formulas. 

— The set of propositions P is {Init, Between, Final}, with the following extension function: (i) '"Init^ = /, 
(ii) '"Between"' = B, and (iii) ^FinaP = F. 

We now establish three properties of the symbolic transition system Sm- 

Lemma 5 A Presburger formulas form a region algebra for the transition system Sm ■ 

Proof. This algebra is trivially closed under all boolean operations, furthermore the problems of satisfiability 
and of membership for Presburger formulas are decidable. So, it remains us to show that the set of states 
satisfying the propositions are expressible as Presburger formula and for all regions R, Pre(R) is expressible 
by a Presburger formula. Let us consider the proposition Between, the set of states of iSa/ that satisfy Between 
is expressed by the following Presburger formula: 0<i<mA{{c>OAd>OA {copy = 1 V copy = 2)) V (i = 
A copy = 2 A c = A d — 0)). The other propositions are left to the reader. Let us now show that the region 
algebra is closed under Pre. We show how to construct the formula <P that represent Pre{Rxp), where Rq, is the 
set of states defined by the Presburger formula ^ with free variable i' , c', c?', copy' . By definition of (5, we have 
to consider three cases. We treat the third one, the two first are trivial and left to the reader. The final formula 
is obtained by taking the disjunction of the three formulas. To construct the formula for the third case, we 
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proceed as follows. For each instruction j of the two-counter machine, we construct a Presburger formula. 
We treat the case where the instruction j is of the form ii : c:=c+l— >i2- The corresponding Presburger 
formula is: 3i', c', d' , copy' -W^i', c', d' , copy') A i ~ ii A i ~ 12 /\ c — c' — I A d — d' A copy = 2 A copy' — \. □ 

Lemma 5B The transition system Sm is in the class STS5. 

Proof. We show that for every proposition p £ P, the iteration of Pre terminates: 

- p = Init. Trivially, Pre*(^lnit"') = / as ^Init"' = / = {((0,0,0), 1)} and ((0,0,0), 1) has no predecessors by 
definition of S; 

- p = Between. We have Pre* ('"Between"') = IL)B = Pre-^{B), in fact the copy-1 of the initial configuration 
of M is reached after one iteration, no other states can be added (the states of F has no outgoing edges). 

- p = Final. We have Pre* ('"Final"') = Pre^^CFmaP), in fact ^FinaP = F, Pre{F) = /U{(7i,ii) e B \ ii = 
1 V (3(72,1) e F A (71,72) e Rm)}, and Pre{Pre{F)) D {(71,2) [ 3(72,1) G B A (72,1) G <5((7i,2))}, 
thus Pre-^('"Final"') contains every states of Q that is either final or has at least one outgoing edge, and 
thus no other state can be added. 

□ 

Lemma 5C For every (7a, 1) G Q, (7a) 1) G {Pre'^)^{F) if and only if there exists a computation a = 
7o7i . . . 7n of M such that 7a = 70 and jn is a final configuration. 

Proof. Let us first establish the left to right direction. We reason by induction on i. Base case: i = 0. As 
(Pre^)*'(P) — F, this is trivial. Induction case: i — k > Q. Let us consider (7a, 1) G (Pre^)((Pre^)'^^^(P)). 
By construction of Sm, we know that B n ^(70, 1) = {(70, 2)} and 5(7a, 2) = {(7c, 1) | (7a, 7c) G Rm}- By 
hypothesis, (5(7a,2) n (Pre^)'^^^(P) is non-empty. Consider (7c, 1) G 5(7a,2) n (Pre^)'^~^(F), by induction 
hypothesis, there exists a final Af-computation cr' = 7071 . . . 7fe-i. We construct a — ■ cr' which is a final 
M-computation that goes from 7a to a final configuration of M . 

Let us now establish the right to left implication. We show that if cr = 7o7i ... 7n is a final Af-computation 
then (71, 1) G (Pre^)"(P). We reason by induction on the value of n. Base case : n = 0, that is cr = 70. In this 
case, 7o is a final configuration and (70, 1) G P and trivially, (70, 1) G (Pre^)°(P). Induction case: n = fc > 0. 
Let us consider the final Al-computation cr = 7071 • . .7^. By definition 71 . . . 7^, is a final Af-computation 
and by induction hypothesis (71,1) G (Pre^)'^~^(P). Let us show that (70,1) G Pre^({(7i, 1)}) holds. We 
know that (70, 71) G Rm as ct is a Af-computation, and by definition of (5, we have (71, 1) G <5(7o, 2), and as 
(70, 2) G 5(70, 1), we have (70, 1) G Pre'iii^i, 1)}). It follows that (70, 1) G {Pre'fiF). □ 

From the above lemmas, it follows that the P4 formula (/ix : Final V 30 30 ^) expresses on Sm exactly 
the set of configurations of M that can reach a final location of Af. The undecidability of model-checking 
^4 on the class STS5 follows as a consequence. 

Theorem 5B-Undecidability The L4 and P4 model- checking problems are undecidable for the class STS5 
of symbolic transition systems. 



5.4 Example: Networks of Rectangular Hybrid Automata 



A network of timed automata [AJ9S] consists of a finite state controller and an arbitrarily large set of 
identical ID timed automata. The continuous evolution of the system increases the values of all variables. 
The discrete transitions of the system are specified by a set of synchronization rules. We generalize the 
definition to rectangular automata. Formally, a network of rectangular automata is a triple (C, H, R) , where 
C is a finite set of controller locations, iJ is a ID rectangular automaton, and P is a finite set of rules of 
the form r = ((c, c'), ei, . . . , e„), where c, c' G C and ei, . . . , e„ are jumps of H. The rule r is enabled if the 
controller state is c and there are n rectangular automata Hi, . . . , if„ whose states are such that the jumps 
ei, . . . , e„, respectively, can be performed. The rule r is executed by simultaneously changing the controller 
state to c' and the state of each Hi, for 1 < i < n, according to the jump e^. The following result is proved 



in I AJ98 for networks of timed automata. The proof can be extended to rectangular automat a using th e 



observation that every rectangular automaton is simulated by an appropriate timed automaton | HKPV9j 



Theorem 5C The networks of rectangular automata belong to the class STS5. There is a network of timed 
automata that does not belong to STS4. 
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Fig. 12. Reach equivalence is coarser than bounded-reach equivalence 
6 General Symbolic Transition Systems 

For studying reachability questions on symbolic transition systems, it is natural to consider the following 
fragment of bounded-reachability logic. 

Definition: Reachability logic The reachability logic Lg consists of the -formulas that are generated 
by the grammar 

(f p\ifiV (p\ 30lp, 

for constants p £ II. □ 

The reachability logic Lg is less expressive than the bounded-reachability logic L"^, because it induces the 
following state equivalence, =6: which is coarser than bounded-reach equivalence (see Figure all states Mi, 
for i > 0, are reach equivalent, but no two of them are bounded-reach-equivalent). 

Definition: Reach equivalence Let 5 be a transition system. Two states u and v of S are reach equivalent, 
denoted u =f v, if for every source-u trace of S with target p, there is a source-u trace of S with target p, 
and vice versa. The state equivalence =6 is called reach equivalence. □ 

For every symbolic transition system TZ with k observables, the reach-equivalence relation =^ has at most 2*^ 
equivalence classes and, therefore, finite index. Since the reachability problem is undecidable for many kinds 



of symbolic transition systems (including Turing machines and polyhedral hybrid automata |ACH+95|), it 
follows that there cannot be a general algorithm for computing the reach-equivalence quotient of symbolic 
transition systems. 
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